[Bug 1281] Using kernel 4.18.10, nft commandline tool or nft -f can't parse negative priority values over -200.

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Jul 12 12:31:46 CEST 2019 

https://bugzilla.netfilter.org/show_bug.cgi?id=1281

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |phil at nwl.cc
         Resolution|---                         |INVALID

--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
Hi,

(In reply to seungheon from comment #0)
[...]
> I want to use nft -f command for enrolling rule.
> This is my rule.
> --------------------------------------------------------------------
> table ip testbed_nat {
>     chain preroutingnat_200 {
>         type nat hook prerouting priority -300; policy accept;
>     }
>     chain postroutingnat_200 {
>         type nat hook postrouting priority -300; policy accept;
>     }
> }
> --------------------------------------------------------------------
> 
> But, the result of nft -f command is this.
> ~# nft -f rule
> rule:4:15-31: Error: Could not process rule: Operation not supported
>         chain preroutingnat_200 {
>               ^^^^^^^^^^^^^^^^^
> rule:10:15-32: Error: Could not process rule: Operation not supported
>         chain postroutingnat_200 {
>               ^^^^^^^^^^^^^^^^^^
> 
> I changed priority value -300 -> -199, it worked. But i changed value over
> -200, it didn't work.
> And I changed kernel version 4.18.10 to 4.15 or 4.13, then it worked.

Starting with Linux kernel version 4.16, nftables rejects nat chains hooking
before conntrack as that would not work. Related commit is:

commit 84ba7dd71add05b52e55c60b4a3af9bb6194c73d
Author: Florian Westphal <fw at strlen.de>
Date:   Fri Dec 8 17:01:55 2017 +0100

    netfilter: nf_tables: reject nat hook registration if prio is before
conntrack

    No problem for iptables as priorities are fixed values defined in the
    nat modules, but in nftables the priority its coming from userspace.

    Reject in case we see that such a hook would not work.

    Signed-off-by: Florian Westphal <fw at strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

So in summary, you can't use a priority value lower than or equal to -200 for
nat type chains.

I'll take a note to reject this in userspace though (and provide a descriptive
error message, not just EOPNOTSUPP).

Thanks, Phil

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/316ffc73/attachment-0001.html>

More information about the netfilter-buglog mailing list